Secondary Site Cert Not working

butlerjw78 · January 4, 2021, 11:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ldhdispatch.com

I ran this command: certbot --apache

It produced this output: Good

My web server is (include version): Apache/2.4.37

The operating system my web server runs on is (include version): Centos8 Stream

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.10.1

So for some reason, certbot created a cert for my main site at www.butlercg.com and it works perfectly.... but when I created a cert for the secondary site www.ldhdispatch.com it is failing a browser test.... Invalid Cert. I have verified the key paths....everything looks good so I'm not sure where to start troubleshooting this problem.

snippit from httpd -S - I do not see a reference to ldhdispatch in the vhost fiel
:80 is a NameVirtualHost
default server butlercg.com (/etc/httpd/conf.d/butlercg.conf:6)
port 80 namevhost butlercg.com (/etc/httpd/conf.d/butlercg.conf:6)
alias www.butlercg.com
port 80 namevhost ldhdispatch.com (/etc/httpd/conf.d/ldhdispatch.conf:6)
alias www.ldhdispatch.com
*:443 is a NameVirtualHost
default server butlercg.com (/etc/httpd/conf.d/butlercg-le-ssl.conf:2)
port 443 namevhost butlercg.com (/etc/httpd/conf.d/butlercg-le-ssl.conf:2)
alias www.butlercg.com
port 443 namevhost www.butlercg.com (/etc/httpd/conf.d/ssl.conf:40)
ServerRoot: "/etc/httpd"

griffin · January 4, 2021, 11:11pm

Welcome to the Let's Encrypt Community, James

Considering that www.ldhdispatch.com has a private IP address, I can't really check it.

Are you running your own nameservers?

Are you running a load balancer of some kind?

www.ldhdispatch.com. 21599 IN CNAME www2.ldhdispatch.com.

www2.ldhdispatch.com. 21599 IN A 192.168.1.55

ldhdispatch.com. 21599 IN A 192.168.1.55

ldhdispatch.com. 21599 IN A 192.168.1.56

Litbelb · January 4, 2021, 11:14pm

Welcome to the lets encrypt community!

Do both domains redirect to the same place?

griffin · January 4, 2021, 11:15pm

It's much more confusing than even that, @Litbelb.

You don't need to delete. We like fresh blood around here. Your instincts are getting better.

Litbelb · January 4, 2021, 11:19pm

Load balancers are so confusing

griffin · January 4, 2021, 11:20pm

Yep. They certainly can cause headaches. Same with reverse proxies.

griffin · January 4, 2021, 11:24pm

I see some things in need of explanation...

ldhdispatch.com. 21430 IN SOA www.ldhdispatch.com. jbutler.butlercg.com. 20210103 3600 1800 604800 86400
ldhdispatch.com. 21430 IN NS ns2.butlercg.com.
ldhdispatch.com. 21430 IN NS ns1.butlercg.com.
ldhdispatch.com. 21430 IN A 192.168.1.56
ldhdispatch.com. 21430 IN A 192.168.1.55
ldhdispatch.com. 21430 IN MX 10 mail.ldhdispatch.com.

butlercg.com. 21599 IN SOA ns1.butlercg.com. jbutler.butlercg.com. 20210107 3600 1800 604800 86400
butlercg.com. 21599 IN NS ns1.butlercg.com.
butlercg.com. 21599 IN NS ns2.butlercg.com.
butlercg.com. 21599 IN A 192.168.1.56
butlercg.com. 21599 IN A 192.168.1.55
butlercg.com. 21599 IN A 71.227.71.168

Litbelb · January 4, 2021, 11:25pm

According to crt.sh, your SSL is acquired correctly. Though like @griffin said, we can't tell.

griffin · January 4, 2021, 11:26pm

crt.sh tells you if the certificate has been acquired correctly. Setup (installed) correctly is an entirely different matter.

griffin · January 4, 2021, 11:28pm

As a matter of practice, always remember to select the "deduplicate" option to filter out the precertificates.

griffin · January 4, 2021, 11:30pm

Based on the certificate histories with varied duplications, we can certainly tell that there have been certificate installation concerns.

butlerjw78 · January 5, 2021, 1:01am

They do, running vhost to separate directories.

griffin · January 5, 2021, 1:24am

Why the multiple IP addresses (especially the private ones)?

butlerjw78 · January 5, 2021, 1:57am

I fixed those - I was trying to route to specific internal machines. Now that's I've corrected the dns and let the Vhost files do their jobs it seems to be working fine. Page loaded with no cert errors. Thanks for the help..

griffin · January 5, 2021, 2:38am

You're quite welcome.

system · February 4, 2021, 2:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.